After media reports showed how the location of cellphone users in the U.S. and Canada could be obtained without their consent, wireless carriers in the U.S. say they will scale back the location data-sharing relationships that allowed the privacy breaches to happen in the first place.
But in Canada, it’s still business as usual — because the standard for sharing a person’s location is already higher here than in the U.S., a joint data-sharing venture between the country’s three major telecom companies insists.
Major U.S. carriers such as Verizon and AT&T made their subscribers’ location available through a third-party aggregator called LocationSmart, which in turn sold access to the data to other companies for purposes such as fraud prevention and marketing.
In Canada, Rogers, Telus and Bell operate a similar aggregator themselves, a joint venture called EnStream. It charges approved third-party companies a fee to look up a users’ location at a given moment — and only with their explicit consent.
“It’s a governance issue,” explained Robert Blumenthal, EnStream’s chief identity officer. He said that because EnStream is jointly owned and operated by the telecom companies, they can more tightly monitor and control who is requesting access to their subscribers’ location than telecom companies could in the U.S.
And unlike the U.S., Blumenthal said EnStream already bars law enforcement and marketing uses.
‘Someone can just lie’
Still, both EnStream and U.S. brokers like LocationSmart are similar in one significant way: Their relationships with third-party companies are largely built on the trust that any access to location data won’t be abused.
“You’re relying on somebody, somewhere — whether that’s in the telecom, or the broker provider in the application — to record that signal [of consent] correctly and relay it to the telecom system,” said Sarah Jamie Lewis, previously a telecommunications security analyst for the U.K. government intelligence agency GCHQ, and now the executive director of Vancouver-based non-profit OpenPrivacy. “And that model can always be broken, because someone can just lie.”
This is precisely what happened in the U.S. The New York Times reported last month that a former U.S. sheriff was able to use a service called Securus to track the location of U.S. cellphones by falsely claiming he had the authority to do so. The location data was ultimately provided by LocationSmart.
Shortly after, a Carnegie Mellon University security researcher discovered a flaw in the LocationSmart website could also allow someone to look up the location of cellphone users in both the U.S. and Canada without their consent.
In the aftermath, Verizon, AT&T, Sprint and T-Mobile said they would wind down their existing agreements with LocationSmart and companies like it. Like EnStream, it’s possible they could choose to handle future access to location data themselves.
EnStream counts LocationSmart as a partner, but Blumenthal would not say whether his company would follow the lead of U.S. wireless carriers and end their current relationship with LocationSmart, too.
“We are exploring all options related to LocationSmart and others,” said Blumenthal, whose company also counts another U.S. broker, Zumigo, as a partner. “It would be premature for me to comment any further at this time.”
A ‘weak model of consent’
Wireless carriers in both Canada and the U.S. have said that the location data they provide — which differs from the location data used in apps like Uber or Google Maps — can be used for beneficial purposes, such as emergency assistance, fraud prevention and tracking delivery vehicles. They stress that location data will only be shared if users opt in.
But as the New York Times has reported, safeguards designed to ensure that consent had actually been given still did not prevent Securus’ access to location data from being abused.
Ideally, users would be the only ones with control over who could access their location, said Jamie Lewis. Instead, telecom companies offer users what she calls a “weak model of consent” — where users have to trust that EnStream and all of its partners, who also control access to their location, will always respect their decision to share their location or not.
“Any system that has an element of trust built into it, that trust can always be violated by someone,” Jamie Lewis said.
Blumenthal said there are measures in place to ensure that trust isn’t abused. He said that Canadian privacy laws are stricter than in the U.S., and prevent location data accessed for one purpose to be used for another. And he said that by carefully vetting their customers, they hope to spot companies like Securus before abuse occurs.
“We have a direct line of sight to who the customer is, even though it might go through a third party” like LocationSmart, Blumenthal said. He said that if a cellphone user ever complained their location had been shared without their consent, EnStream would be able to trace the request back to see if consent was improperly obtained.
The move by U.S. carriers to more strictly limit access to their customers’ location data was spurred by inquiries from U.S. Senator Ron Wyden, whose office has spent recent months investigating privacy and security issues with cellular networks.
However, none of the major U.S. carriers say they will stop selling access to their subscribers’ location data outright, according to the Associated Press. Verizon, for example, said “beneficial services” such as roadside assistance would continue — which puts them more in line with what EnStream currently offers in Canada.